{
  "threat_severity" : "Moderate",
  "public_date" : "2023-02-07T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: double free after calling PEM_read_bio_ex",
    "id" : "2164494",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2164494"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-415",
  "details" : [ "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\nThe OpenSSL asn1parse command line application is also impacted by this issue.", "A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (for example, \"CERTIFICATE\"), any header data, and the payload data. If the function succeeds, then the \"name_out,\" \"header,\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. Constructing a PEM file that results in 0 bytes of payload data is possible. In this case, PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a freed buffer. A double-free will occur if the caller also frees this buffer. This will most likely lead to a crash. This could be exploited by an attacker who can supply malicious PEM files for parsing to achieve a denial of service attack." ],
  "statement" : "A double-free vulnerability was found in the OpenSSL library in the PEM_read_bio_ex() function and its wrappers. The flaw is triggered when the library parses a specially crafted PEM file constructed to have zero bytes of payload data. This edge case causes the function to return a failure code but also populate a header argument with a pointer to memory that has already been freed, leading to a double-free condition if the calling application also attempts to free it, resulting in a crash and a denial of service. The flaw is rated as moderate because it results in a crash but does not allow code execution, memory corruption beyond the crash, or data leakage.\nThe versions of `shim` as shipped with Red Hat Enterprise Linux 8 and 9 are shipping OpenSSL 1.1.1 and 1.0.2, which do not contain the incorrect code, so those are not affected by this CVE.",
  "affected_release" : [ {
    "product_name" : "JBCS httpd 2.4.51.sp2",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3355",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "openssl"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3354",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-14.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3354",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-14.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2932",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "edk2-0:20220126gitbb1bba3d77-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-03-22T00:00:00Z",
    "advisory" : "RHSA-2023:1405",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssl-1:1.1.1k-9.el8_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-05-31T00:00:00Z",
    "advisory" : "RHSA-2023:3408",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "openssl-1:1.1.1k-9.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-02-28T00:00:00Z",
    "advisory" : "RHSA-2023:0946",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.1-47.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2165",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "edk2-0:20221207gitfff6d81270b5-9.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-02-28T00:00:00Z",
    "advisory" : "RHSA-2023:0946",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.1-47.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2023-03-14T00:00:00Z",
    "advisory" : "RHSA-2023:1199",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.0",
    "package" : "openssl-1:3.0.1-46.el9_0"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3421",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "openssl"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3420",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7",
    "package" : "jws5-tomcat-native-0:1.2.31-14.redhat_14.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3420",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8",
    "package" : "jws5-tomcat-native-0:1.2.31-14.redhat_14.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3420",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9",
    "package" : "jws5-tomcat-native-0:1.2.31-14.redhat_14.el9jws"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "ovmf",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "compat-openssl10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "compat-openssl11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-4450\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4450\nhttps://www.openssl.org/news/secadv/20230207.txt" ],
  "name" : "CVE-2022-4450",
  "csaw" : false
}